8 Great Security Tips For Hardening WordPress

August 14, 2011 — 2 Comments

Keeping your WordPress sites away from the bad guys is simple and for starters making sure you have the latest version of WordPress installed and at the time of this post we are up to WordPress 3.2.1. But there’s more today’s post you’ll find some great essentials WordPress security tips

1. Hiding login error messages

We all seen the error messages when we accidentally press an incorrect character, number etc, but these are great expose for hackers to get an idea if they gotten the username correct or incorrect. But you can hide these messages with a simple snippet that you place in the function.php file

add_filter('login_errors',create_function('$a', "return null;"));

2. Maintaining Back Ups

Backing up copies of your entire WordPress blog is important as keeping them safe and away from hackers and if the situation does occur at least you have the clean backup files to revert.

3.Prevent directory browsing

Having your directories and all of it files open out and exposed to the public is can be come a big security loophole.

To see if your WordPress site is exposed just enter the following link http://www.domain.com/wp-includes/ in but remember to replace domain with your web address in and if it shows a white blank page or a return you back to your home page then you know you are safe but if the below image appears you aren’t safe.

But to prevent it and all the directories inside just place the following snippet in your .htaccess file

# prevent folder browsing
Options All -Indexes

4. Keep Your Core Files & Plugins Updated

One of the safest ways to keep your WordPress site safe is to make sure your files are always updated to the latest release. Here are a couple of practices you can follow:

  • Login into your dashboard often, why you may ask? its simple if you every seen a yellow notification appears at the top of the Dashboard that’s appears because you have update is available. remember login often to keep yourself updated to the latest copy of WordPress.
  • Just don’t deactivate your plugins, remove them too. keeping unused plugins will eventually get outdated and may pose a security risk.

5. Strong Password

Is your password safe? keeping a strong and safe password is more than just something memorable with numbers (e.g. password123). For a good start your password should consist of more than 12 characters with a combination of numbers and letters in lower and uppercase.

To test your current password you should run it through the great web app called How Secure Is My Password

6. Remove the user named Admin

A typical installation of WordPress comes with a default admin account funny enough named ‘admin’. If use to control your WordPress site, you are already making hacker’s life easier. Using user “admin” should be avoided at all times. creating a new admin account is easy to do and will keep secure. And here is how you do it

A safer approach to logging into your admin securely is to create a new administrator and have “admin” removed. And here’s how you do it:

  • Login to WordPress admin panel
  • Go to Users -> Add New
  • Add a new user with Administrator role, make sure you use a strong password.
  • then Log out of WordPress, re-login with your new admin user.
  • Go to Users
  • Remove “admin” user
  • If “admin” have posts, remember to attribute all posts and links back to the new user.

7. Protect WP-Admin Directory

Keeping the wp-admin folder protected will add an extra layer of protection. Whoever attempts to access files or directory after wp-admin will be prompt to login.

  • If you’re hosting provider use cpanel admin login you can set protection easily on any folder via cPanel’s Password Protect Directories graphical user interface.
  • Use the nifty WordPress plugin called AskApache Password Protect plugin.

or add the following snippet into your .htaccess file

# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

8. Report Security Risks to WordPress

This isn’t a tip to protect just for your own self hosted wordpress but others who do use it also, if you do find one or many just send a friendly email including all in-depth details you can give about the risk to security [at] wordpress.org

About these ads

2 responses to 8 Great Security Tips For Hardening WordPress

  1. 

    I’m trying to hide the error messages on WP by editing ‘functions.php’ but it’s not working – is there somewhere specifically in the file that the code is supposed to be placed?

    Thanks! :)
    Lynn

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s